Editor's Note: A previous version of this story noted that U.S. Bancorp was among the banks targeted by DDoS on July 24, according to online traffic data collected by Keynote. On July 31, Keynote said that, upon deeper examination of data, U.S. Bank's online customers did experience performance issues on July 24, but those issues were not the result of a DDoS attack. This piece has been updated to reflect this new information.
A week after the self-proclaimed hacktivist group Izz ad-Din al-Qassam Cyber Fighters announced plans to launch a fourth phase of attacks against U.S. banks it's still not clear whether the group has resumed its distributed-denial-of-service activity.
DDoS attacks appear to have targeted two banks July 24 through July 27, according to Keynote, an online and mobile cloud testing and traffic monitoring provider, and other sources. But security vendors that track attacks linked to al-Qassam's botnet, known as Brobot, say they're uncertain exactly who was behind those attacks. While some attack evidence suggested a link to Brobot, nothing was definitive.
The online banking sites of JPMorgan Chase and Regions Financial Corp. experienced intermittent outages last week, Keynote says, and the outages appear to be DDoS-related.
Both banking institutions have previously been targeted by al-Qassam.
Chase and Regions declined to comment about the outages, but Chase did acknowledge intermittent online issues July 24 on Twitter, in response to customer complaints.
Detecting those online glitches, however, took some digging, says Aaron Rudger, Keynote's Web performance marketing manager. The online traffic patterns were different from what Keynote has recorded in the past for activity believed to be related to DDoS, he says.
"Normally with DDoS attacks, we see a ramping decline in a site's performance as the load against it builds," Rudger says. "Eventually, the site falls over when overwhelmed."
But in both of the outages tracked last week, that pattern was not present, he says. "It seems they were hit very hard, very fast - so fast, our agents did not observe the typical 'ramping' effect of an attack," he says.
The pattern divergence could signal a different type of DDoS approach, or merely be a byproduct of the steps the affected banking institutions were taking to mitigate their outages, or a combination of the two, he says.
And while both banks suffered slightly different types of errors - Chase was hit by DNS lookup errors and Regions was hit by traffic that allowed access to its homepage but kept eBanking inaccessible - Rudger says they bothl were, at least in part, linked to external issues.
The outages linked to Chase began during the morning of July 24, stopped and then picked back up in the afternoon, says one DDoS mitigation expert, who asked to remain anonymous. The first wave of attacks had no commands linked to Brobot, but the second wave did, the source says.
Regions showed similar patterns, though the outages spanned two days and eBanking remained inaccessible throughout the duration, he adds.
John LaCour, CEO of cybersecurity and intelligence firm PhishLabs, declined to comment about any particular banks affected by DDoS activity, but he confirmed that his company had tracked new attacks. He did not say, however, if those attacks were linked to Brobot.
Several other DDoS mitigation providers would not comment about last week's three apparent DDoS attacks. But the anonymous source says no one is certain whether al-Qassam is connected to those attacks.
After al-Qassam's announcement that it planned to launch a fourth phase of attacks, copycats may have decided to take advantage, launching attacks of their own hoping to be mistaken as al-Qassam, the source says.
The group hasn't attacked since the first week of May, when it announced it was halting its DDoS strikes in honor of Anonymous' Operation USA, bringing an end to its third phase of attacks, which began March 5 (see New Wave of DDoS Attacks Launched).
al-Qassam has repeatedly stated it's waging its attacks against U.S. banking institutions in protest of a Youtube movie trailer deemed offensive to Muslims.
"Other DDoS actors have started their hostilities, trying to blame (or at least be confused with) them on QCF," the source says. "We saw similar activity from the middle of Phase 2 onward, where fraudsters were attacking known [Operation] Ababil targets in order to straphang on the chaos that QCF was bringing."
Several security vendors tracking the group's Brobot say that the botnet is growing.
"The huge number of servers controlled by the attackers shows that this campaign was fully planned, intentionally organized and deliberate," says Frank Ip, vice president of U.S. operations for NSFOCUS, which tracks DDoS activity. "This leads us to wonder whether the attack campaign is supported or backed by a country or financially well-off organization behind the scenes. We expect that similar DDoS attack events will occur in the wake of the recent activity, employing more diversified and varying methods."